https://bugs.openldap.org/show_bug.cgi?id=10323
Issue ID: 10323 Summary: Starttls critical not working on lloadd Product: OpenLDAP Version: 2.6.9 Hardware: x86_64 OS: Linux Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: lloadd Assignee: bugs@openldap.org Reporter: grichier@scaleway.com Target Milestone: ---
Hello, Looks like starttls critical not working on lloadd.
I have a backend with starttls configure but with bad CN. When I direct query the backend using ldapsearch with option -ZZ, I have the following error: ldap_start_tls: Connect error (-11) additional info: (unknown error code)
But when I query the lloadd, which use same backend with olcBkLloadStartTLS to critical. It's work...
On a tcpdump I can see the communication between backend and lloadd is not using starttls. (cleartext). But it shouldn't (critical option)
cn: {1}ldap://ldap01.example.com olcBkLloadBackendUri: ldap://ldap01.example.com olcBkLloadNumconns: 10 olcBkLloadBindconns: 5 olcBkLloadRetry: 5000 olcBkLloadMaxPendingOps: 50 olcBkLloadMaxPendingConns: 10 olcBkLloadWeight: 1 olcBkLloadStartTLS: critical
https://bugs.openldap.org/show_bug.cgi?id=10323
--- Comment #1 from grichier@scaleway.com --- I've tried with a valid backend certificate with option critical and also with option yes -> tcpdump not show starttls and creds are send in cleartext..
https://bugs.openldap.org/show_bug.cgi?id=10323
--- Comment #2 from grichier@scaleway.com --- Seems related to olcBkLloadStartTLS ignore.
Using static config, starttls is working ... --------------------- listen "ldap://:1389" feature proxyauthz
TLSShareSlapdCTX true
bindconf bindmethod=simple network-timeout=5 binddn=* credentials=* tls_cacert="/etc/ldap/certs/cacert.pem" tls_cert="/etc/ldap/certs/cert.pem" tls_key="/etc/ldap/certs/private.key"
tier roundrobin backend-server uri=ldap://ldap01.example.com retry=5000 max-pending-ops=50 conn-max-pending=10 numconns=10 bindconns=5 starttls=critical backend-server uri=ldap://ldap02.example.com retry=5000 max-pending-ops=50 conn-max-pending=10 numconns=10 bindconns=5 starttls=critical
https://bugs.openldap.org/show_bug.cgi?id=10323
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net Ever confirmed|0 |1 Status|UNCONFIRMED |IN_PROGRESS
--- Comment #3 from Ondřej Kuzník ondra@mistotebe.net --- Thanks for the report, indeed it's down to the runtime change not being applied when it should. The following MR should correct the issue: https://git.openldap.org/openldap/openldap/-/merge_requests/760
https://bugs.openldap.org/show_bug.cgi?id=10323
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.20
https://bugs.openldap.org/show_bug.cgi?id=10323
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=10323
--- Comment #4 from grichier@scaleway.com --- I'tried to apply your change,build the lloadd module and now it works like a charm. I will wait until the MR is officially merged to used it. Thanks
https://bugs.openldap.org/show_bug.cgi?id=10323
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED
--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org --- head:
• 948400af by Ondřej Kuzník at 2025-04-23T21:17:51+00:00 ITS#10323 Apply olcBkLloadStartTLS runtime changes directly
https://bugs.openldap.org/show_bug.cgi?id=10323
--- Comment #6 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• e5a62d37 by Ondřej Kuzník at 2025-05-06T15:39:28+00:00 ITS#10323 Apply olcBkLloadStartTLS runtime changes directly
RE25:
• 55cac4b7 by Ondřej Kuzník at 2025-05-06T15:42:20+00:00 ITS#10323 Apply olcBkLloadStartTLS runtime changes directly
-
openldap-its@openldap.org